Malware that Symantec says was probably developed by a nation state may have been used for as long as eight years, a length of time that underscores the challenges the security industry faces in detecting advanced spying tools.
On Sunday, the computer security company published a 22-page report and blog post on the Regin malware, which it described as a powerful cyberespionage platform that can be customized depending on what type of data is sought.
It was predominantly targeted at telecoms companies, small businesses and private individuals, with different modules customized for stealing particular kinds of information. Symantec found about 100 entities infected with Regin in 10 countries, mostly in Russia and Saudi Arabia, but also in Mexico, Ireland, India, Afghanistan, Iran, Belgium, Austria and Pakistan
A first version of Regin was active between 2008 and 2011. Symantec began analyzing a second version of Regin about a year ago that had been forwarded by one of its customers, said Liam O’Murchu, a Symantec researcher, in a phone interview Sunday.
But there are forensic clues that Regin may have been active as far back as 2006. In fact, Symantec didn’t actually give Regin its name. O’Murchu said Symantec opted to use that name since it had been dubbed that by others in the security field who have known about it for some time.
If Regin does turn out to be 8 years old, the finding would mean that nation states are having tremendous success in avoiding the latest security products, which doesn’t bode well for companies trying to protect their data. Symantec didn’t identify who it thinks may have developed Regin.
Symantec waited almost a year before publicly discussing Regin because it was so difficult to analyze. The malware has five separate stages, each of which is dependent on the previous stage to be decrypted, O’Murchu said. It also uses peer-to-peer communication, which avoids using a centralized command-and-control system to dump stolen data, he said.
It’s also unclear exactly how users become infected with Regin. Symantec figured out how just one computer became infected so far, which was via Yahoo’s Messenger program, O’Murchu said.
It is possible the user fell victim to social engineering, where a person is tricked into clicking on a link sent through Messenger. But O’Murchu said it is more likely that Regin’s controllers knew of a software vulnerability in Messenger itself and could infect the person’s computer without any interaction from the victim.
“The threat is very advanced in everything it does on the computer,” O’Murchu said. “We imagine these attacks have quite advanced methods for getting it installed.”
Telecom companies have been particularly hard hit by Regin. Some of the companies have been infected by Regin in multiple locations in multiple countries, Symantec found.
The attackers appear to have sought login credentials for GSM base stations, which are the first point of contact for a mobile device to route a call or request data. Stealing administrator credentials could have allowed Regin’s masters to change settings on the base station or access certain call data.
Regin’s other targets included the hospitality, airline and ISP industries, as well as government.
“We do not think [Regin] is a criminal type of enterprise,” O’Murchu said. “It’s more along the lines of espionage.”